chore(deps): update dependency system.identitymodel.tokens.jwt to v8

[descope]

This PR contains the following updates:

Package	Type	Update	Change
System.IdentityModel.Tokens.Jwt	nuget	major	7.5.1 -> 8.0.1

---

Release Notes

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (System.IdentityModel.Tokens.Jwt)

v8.0.1

Compare Source

=====

Bug fixes

• IdentityModel now resolves the public key to EPK. See issue #​1951 for details.
• Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #​2682 for details.
• For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #​2737 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock.
  .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #​2722 for details.

v8.0.0

Compare Source

=====

CVE package updates

CVE-2024-30105

• See PR #​2707 for details.

Breaking change:

Full list of breaking changes.

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #​2700 for details.
• Make CollectionUtilities.IsNullOrEmpty internal. See issues**https://togithub.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2651dotnet/issues/2651) and #​1722 for details.

Overall improvements to the validation in IdentityModel:

• See design proposal #​2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

• Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #​2698 for details.

Bug fixes:

• Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #​2680 for details.
• Continuation of #​2637 and #​2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.
• The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0
  
• The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
• Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #​2524 for details.
• When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #​1970.

Fundamentals

• Remove code that was used in target frameworks that got removed. See PR #​2673 for details.
• Rename local variables for better readability. See PR #​2674 for details.
• Refactor XML comments for improved clarity. See PR #​2676, #​2677, #​2678, #​2689 and #​2703 for details.
• Fix flaky test. See issue #​2683 for details.
• Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #​2661

v7.7.1

Compare Source

7.7.1

Bug Fix

• Re-add JsonSerializerPrimitives.TryAllStringClaimsAsDateTime which was removed as it is in an internal class, but due to InternalsVisibleTo can lead to a MissingMethodException if IdentityModel versions are not aligned. See PR #​2734 for details.

v7.7.0

7.7.0

CVE package updates

CVE-2024-30105

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Opt in to the new behavior via an AppContext switch. See PR #​2715 for details.

v7.6.2

Compare Source

7.6.2

Bug Fix:

• Revert reduced allocations in AadIssuerValidator by not using string.Replace where appropriate due to an index out-of-range error.

v7.6.1

Compare Source

=====

New Features:

• Added an Audiences member to the SecurityTokenDescriptor to make it easier to define multiple audiences in JWT and SAML tokens. Addresses issue #​1479 with PR #​2575
• Add missing metadata parameters to OpenIdConnectConfiguration. See issue #​2498 for details.

Bug Fixes:

• Fix over-reporting of IDX14100. See issue #​2058 and PR #​2618 for details.
• JwtRegisteredClaimNames now contains previously missing Standard OpenIdConnect claims. See issue #​1598 for details.

Performance Improvements:

• No longer for every string claim, calling DateTime.TryParse on each value, whether it is expected to be a DateTime or not. See issue #​2615 for details.

v7.6.0

Compare Source

=====

New Features:

• Update JsonWebToken - extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #​2581, #​2583, and #​2495 for details.

Bug Fixes:

• JWE header algorithm is now compliant to IANA document. See issue #​2089 for details.

Performance Improvements:

• Reduce the number of internal array allocations that need to happen for each claim set, see PR #​2596.

Fundamentals:

• Add an AOT compatibility check on each PR to ensure only AOT compatible code is checked-in. See PR #​2598.
• Update perl scrip for OneBranch build. See PR #​2602.
• Add langversion 12 to benchmark tests. See PR #​2601.
• Removed unused build.cmd file. See PR #​2605.
• Create CodeQL exclusions file. See PR #​2609.
• Fix variable usage in AOT script. See PR #​2610.
• Move Microsoft.IdentityModel.Tokens delegates to a new file. See PR #​2606

v7.5.2

Compare Source

=====

Bug Fixes:

• Validate authentication tag length so a JWE with appended characters will not be considered a valid token. See issues #​2201, #​1641, PR #​2569, and IDX10625 Wiki for details.

Fundamentals:

• App Context Switches in Identity Model 7x are now documented here.

Performance Improvements:

• In .NET 6 or greater, use a temporary buffer to reduce intermediate allocation in VerifyRsa/VerifyECDsa. See PR #​2589 for more details.
• Reduce allocations in ValidateSignature by using a collection expression instead of new List<SecurityKey> { key }, to optimize for the single element case. See PR #​2586 for more details.
• Remove Task allocation in AadIssuerValidator. See PR #​2584 for more details.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[descope]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.